Skip to content

Real-Time Streams Egress Tests (DM-STREAM)

Validate that real-time and streaming protocols cannot exfiltrate data from the Secure Sandbox. Cover WebRTC data channels, WebSocket upgrades, gRPC streams, and HTTP/3 (QUIC) with strict proxy, pinning, and default-deny enforcement.

Objectives

  • Deny real-time data channel exfiltration (WebRTC, WebSocket, gRPC streaming, HTTP/3/QUIC).
  • Enforce TLS pinning, proxy mediation, and SNI requirements; block IP-literal connections.
  • Capture ALPN/SNI/IP evidence to prove no fallback to direct or unpinned paths.

Preconditions

  • Network deny-by-default posture: network.capabilities.egressDefaultAction: "deny".
  • Proxy and pinning configured for allowed remotes only.
  • If testing browser-based flows, ensure a clean profile (no extensions) unless in scope.

Controls Under Test

  • Proxy enforcement and TLS pinning (SNI verification, pinned roots/certs).
  • Streaming protocol handling (WebRTC DTLS/SRTP, WebSocket upgrade, gRPC over HTTP/2, HTTP/3/QUIC ALPN).

Test Scenarios

IDScenarioProcedureExpected Outcome
DM-STREAM-01WebRTC Data Channel1) Attempt to establish a WebRTC data channel to an unpinned TURN/peer.
2) Send test payloads.
Connection fails or data channel cannot transmit. Audit shows deny; no UDP/DTLS fallback allowed.
DM-STREAM-02WebSocket Upgrade1) Initiate HTTP Upgrade: websocket to unpinned host/IP.
2) Stream payload over WS frames.
Denied by proxy/pinning/default-deny. Audit shows httpUpgrade: websocket, action: deny.
DM-STREAM-03gRPC Streaming (HTTP/2)1) Use gRPC bidirectional stream to unpinned endpoint.
2) Attempt continuous exfil.
Denied with alpn: h2; no data leaves.
DM-STREAM-04HTTP/3 (QUIC)1) Attempt upload over HTTP/3 to unpinned host or direct IP (IPv6 literal).Denied; audit shows alpn: h3, ipLiteral: true when applicable; no fallback.
DM-STREAM-05SNI-less/IP Literal1) Connect to IP literal without SNI, including alt port (8443).Denied by pinning/SNI requirements; audit captures sni: null, ip: ..., port: 8443.

Evidence Requirements

  • Audit category: network (and dataMotion when pipelines are involved) with: protocol, alpn (h2, h3), sni, ip, port, proxyUsed, pinnedRootRef/pinnedCertRef, httpUpgrade (when applicable), action, outcome.
  • Include correlation fields: sessionId, appId, siteRef, and integrity.hash/prevHash.

Example Audit Artifact

json
{
  "timestamp": "2026-01-21T23:50:00Z",
  "category": "network",
  "protocol": "tls",
  "alpn": "h3",
  "sni": null,
  "ip": "2001:db8::1",
  "port": 8443,
  "proxyUsed": true,
  "pinnedRootRef": "corp-root-2026",
  "action": "deny",
  "outcome": "blocked",
  "reason": "ip-literal-unpinned",
  "sessionId": "b2a14d...",
  "appId": "sandbox-browser",
  "siteRef": "prod-us-1",
  "integrity": { "hash": "sha256-...def", "prevHash": "sha256-...c01" }
}

Troubleshooting

  • Confirm proxy is active and mandatory; disable any direct or PAC-based bypasses for test scope.
  • Validate pinning configuration and check audit for pinnedRootRef or failure reasons.
  • For WebRTC, ensure STUN/TURN servers are not allowlisted unless needed; verify UDP traffic is mediated/denied.

Known Limitations & Negative Space

  • These tests focus on transport-level denial and pinning. Content-layer DLP/transform behavior is validated in Data Motion pipeline pages.
  • Peer-to-peer behaviors vary by browser; use representative versions and capture ALPN/SNI/IP evidence.